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CCNA Security Lab 1 - Cisco IOS User and Command Privilege Levels - CLI 

Lab 1 

Cisco IOS User and Command Privilege Levels 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how 
implement different privilege levels for users and commands within the Cisco IOS 
software. 

Lab Purpose: 

It is important to understand that the Cisco IOS software provides the 
capability to restrict certain commands from being executed by different users 
based on their privilege levels. 

Lab Difficulty: 

This lab has a difficulty rating of 7/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



Lab 1 Configuration Tasks 
Task 1: 

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the 
network diagram. Configure R2 to send R1 clocking information at a rate of 
512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the 
two routers have IP connectivity. 

Task 2: 

Configure R2 with the following command restrictions: 


Command Privilege Level 

nino 15 










trace route 15 
show ip route 15 
show version 15 
show 1 

show ip 1 

Task 3: 

Configure the following users and corresponding privilege levels on R2: 

Username Privilege Level Secret 

beginner 1 Ciscol23 

intermediate 7 Cisco456 

expert 15 Cisco789 

Task 4: 

Configure Telnet access to R2 so that the router authenticates users based on locally configured 
usernames and passwords. 

Task 5: 

Configure R2 so that when the user named intermediate logs into the router, R2 immediately issues the 
output of the show ip interface brief command and logs them out automatically. 

Task 6: 

Telnet into R2 from R1 using username beginner and validate the following: 

You cannot issue the ping command 
You cannot issue the show version command 
You cannot issue the traceroute command 
You cannot issue the show ip route command 


Telnet into R2 from R1 using username intermediate and validate the following: 

The router prints the output of the show ip interface brief command and logs you out Telnet into R2 
from R1 using username expert and validate the following: 

You can issue the ping command 

You can issue the show version command 

Lab 1 Configuration and Verification 
Task 1: 

Router(config)#hostname R1 
Rl(config)#interface serialO/O 

Rl(config-if)#no shutdown 

R1 (config-if)#ip address 10.1.1.1 255.255.255.0 

Rl(config-if)#end 

Rl# 

Router(config)#hostname R2 

R2(config)#interface serialO/O 

R2(confia-if)#no shutdown 



R2(config-if)#clock rate 512000 

R2(co nfig-if)# ip address 10.1.1.2 255.255.255.252 

R2 (co nfig -if)#exit 

R2(config)#exit 

R2# 

R2#ping 10.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: 

! 1111 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms 

Task 2: 

R2(config)#privilege exec level 1 show ip 
R2(config)#privilege exec level 1 show 
R2(config)#privilege exec level 15 ping 
R2(config)#privilege exec level 15 traceroute 
R2(config)#privilege exec level 15 show ip route 
R2(config)#privilege exec level 15 show version 
R2(config)#exit 
R2# 

Task 3: 

R2(config)#username beginner privilege 1 secret ciscol23 
R2(config)#username intermediate privilege 7 secret cisco456 
R2(config)#username expert privilege 15 secret cisco789 

R2(config)#exit 

R2# 

Task 4: 

R2(config)#line vty 0 4 
R2(config-line)#login local 
R2 (co nfig-line )#exit 
R2(config)#exit 
R2# 

Task 5: 

R2(config)#username intermediate autocommand show ip interface brief 




R2(config)#exit 

R2# 


Task 6: 

Because the default privilege level of these commands has been changed from 0 to 15, the user 
beginner — who has restricted only to level 0 commands — will be unable to execute these commands. 
However, any other commands (that have a privilege level of 0) will still work. 

Rl#telnet 10.1.1.2 

Trying 10.1.1.2 ... Open 


User Access Verification 

Username: beginner 
Password: 

R2>ping 10.1.1.1 

/\ 

% Invalid input detected at ,/v marker. 

R2>show version 

/\ 

% Invalid input detected at ,/v marker. 

R2>traceroute 10.1.1.1 

/\ 

% Invalid input detected at ,/v marker. 

R2>show ip route 

/\ 

% Invalid input detected at ,/v marker. 

The username [name] autocommand [line] command is used to execute the specified command 
immediately after the user logs in and then automatically disconnect the user session. This security 
mechanism can be used to restrict the information certain users can get from routers. 

Rl#telnet 10.1.1.2 

Trying 10.1.1.2 ... Open 



User Access Verification 


Username: intermediate 

Password: 

Interface IP-Address OK? Method Status Protocol 

FastEthernetO/O 172.16.1.2 YES NVRAM up up 

SerialO/O 10.1.1.2 YES manual up up 

[Connection to 10.1.1.2 closed by foreign host] 

Rl# 

Level 15 users have complete access to the entire suite of Cisco IOS commands. 

Rl#telnet 10.1.1.2 

Trying 10.1.1.2 ... Open 


User Access Verification 

Username: expert 
Password: 

R2#ping 10.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: 

! 1111 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms 
R2# 

R2#show version 

Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(15)T9, RELEASE 
SOFTWARE (fc5) 

Technical Support: http://www.cisco.com/techsupport 
Copyright (c) 1986-2009 by Cisco Systems, Inc. 

Compiled Tue 28-Apr-09 11:35 by prod_rel_team 
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R2 uptime is 11 hours, 48 minutes 
System returned to ROM by power-on 

System image file is "flash:c2600-advsecurityk9-mz. 124-15.T9.bin" 


V 1 


This product contains cryptographic features and is subject to United 
States and local country laws governing import, export, transfer and 
use. Delivery of Cisco cryptographic products does not imply 
third-party authority to import, export, distribute or use encryption. 

Importers, exporters, distributors and users are responsible for 
compliance with U.S. and local country laws. By using this product you 
agree to comply with applicable laws and regulations. If you are unable 
to comply with U.S. and local laws, return this product immediately. 

A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html 


If you require further assistance please contact us by sending email to 
export@cisco.com. 

Cisco 2650XM (MPC860P) processor (revision 1.0) with 127627K/3445K bytes of memory. 

Processor board ID JAE07170JUQ 

M860 processor: part number 5, mask 2 

1 FastEthernet interface 

1 Serial interface 

32K bytes of NVRAM. 

32768K bytes of processor board System flash (Read/Write) 

Configuration register is 0x2102 


R2# 

R2#exit 

[Connection to 10.1.1.2 closed by foreign host] 


Lab 1 Confiaurations 



R1 Configuration 


Rl#show run 
Building configuration... 

Current configuration : 2421 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R1 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 


multilink bundle-name authenticated 
! 

! 

crypto pki trustpoint TP-self-signed-533650306 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-533650306 

revocation-check none 

rsakeypair TP-self-signed-533650306 


crypto pki certificate chain TP-self-signed-533650306 
certificate self-signed 02 

30820238 308201A1 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31343234 
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 
33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
BFA77FF5 5DA56F31 10110D3C 4FD35D6D 73FCECF4 4CA7C9E3 9D74F273 32C32446 
5037C8DF 3E8C9E91 8BDB70A4 777D4123 5EE29FAF 0B242DE0 90CAAD02 3511FC48 
60F48E39 9F2CBA37 FE3D3A7F 0840F41E DB785FE7 1F45FF1F 58E93C0B D443E328 
D8C0E8C2 7896916E 0B094B2E EBEC9368 C89FC2E1 02468E00 B9B6E9A1 0D4778DB 
02030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D 
11040630 04820252 31301F06 03551D23 04183016 80146187 D2B080E6 4CA4B596 
C026BA5E 13E1EA03 A064301D 0603551D 0E041604 146187D2 B080E64C A4B596C0 
26BA5E13 E1EA03A0 64300D06 092A8648 86F70D01 01040500 03818100 1643A58E 
DD5E53CC 19252661 1958B313 5E658456 13686B9E 46EF2D9E DB273F0A AAB16242 
FA41F7DD CF4B006A 86C93C42 33DF5494 9269A702 1515EA22 71F36292 FDFBFOCA 
2DAA158D 94759BF0 96BE918C 598A936D 73F743D0 A0B2C415 B5220ECC 720BD0D2 
C9AD4DA1 72201C52 C7011ECF 1B5CF261 31AE28E8 86A6C8DD 9E2B87AD 
quit 

! 

! 

archive 
log config 
hidekeys 



interface FastEthernetO/O 
no ip address 
duplex auto 
speed auto 
! 

interface SerialO/O 
ip address 10.1.1.1 255.255.255.0 
! 

ip forward-protocoI nd 
! 

! 

ip http server 
ip http authentication local 
ip http secure-server 
! 

! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
password cisco 
login local 
! 

! 

end 

R2 Configuration 

R2#show run 
Building configuration... 



Current configuration : 2924 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R2 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef 
! 

! 

! 

! 

no ip domain lookup 
! 

multilink bundle-name authenticated 
! 

! 

crypto pki trustpoint TP-self-signed-3473940174 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-3473940174 
revocation-check none 
rsakeypair TP-self-signed-3473940174 
! 
i 


crypto pki certificate chain TP-self-signed-3473940174 



certificate self-signed 03 

3082023A 308201A3 A0030201 02020103 300D0609 2A864886 F70D0101 04050030 
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 33343733 39343031 3734301E 170D3032 30333031 30313436 
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373339 
34303137 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
8100C824 4F0BABB6 A557E3A3 3EE6D399 5A495CF6 8F7E131A 62670291 9710DF0F 
CB6918CB D3B817C8 51D4648C 79B882A8 637804CB 8984FB80 D9F1D86B E79C8292 
E1617724 252490F4 BE0322C0 5C984515 3E0A4550 75E9BCC7 7A19900C 0084F632 
19643491 5C0E821D 5442E1C8 FB4BE8A3 034E2954 01B4377C DC14AF72 0F4C92DC 
70A90203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 
551D1104 06300482 02523230 1F060355 1D230418 30168014 4020A082 2373EFEF 
CD379B8C 2A1A4D13 43842D59 301D0603 551D0E04 16041440 20A08223 73EFEFCD 
379B8C2A 1A4D1343 842D5930 0D06092A 864886F7 0D010104 05000381 81001AAA 
E85188C2 E95DE2CF D61FA051 5E1D4C7D C0BC58CB CB80016D 658BBD4B B686C4B2 
1B843186 2D80A25E 345FBFF9 B9976FE3 415FDA67 822C640D D01E1890 6E127888 
5CF59396 BA35884D 1713DE91 6F3EA49C 2BA819FF 80B2861B 04E25605 C10FCC78 
B42586D5 34259EA9 82A1662E 62A5BDD8 8AB52BA4 B9721200 795E512B 9559 
quit 

! 

! 

username beginner privilege 1 secret 5 $l$Yeha$jl.KYeF5h5MTK7UFi7LOtNl 
username intermediate privilege 7 secret 5 $l$5sxC$SDQbUDJIpKfFibST8wsPcf. 
username intermediate autocommand show ip interface brief 
username expert privilege 15 secret 5 $l$KW5c$2aN9EWbsllpfY.FchBr2dfl 
archive 
log config 
hidekeys 



! 

interface FastEthernetO/O 
no ip address 
duplex auto 
speed auto 
! 

interface SerialO/O 

ip address 10.1.1.2 255.255.255.252 
clock rate 512000 
! 

ip forward-protocoI nd 
! 

! 

ip http server 
ip http authentication local 
ip http secure-server 
! 

! 

! 

! 

! 

control-plane 

! 

! 

privilege exec level 15 traceroute 
privilege exec level 15 ping 
privilege exec level 15 show ip route 
privilege exec level 1 show ip 
privilege exec level 15 show version 
privilege exec level 1 show 
! 

line con 0 


line aux 0 
line vty 0 4 
login local 
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! 

end 


© 2006-2011 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited. 


